A security researcher has found a way to hijack Microsoft’s software automation tool to send ransomware to connected machines and steal data from devices.
The attack uses the automation tool as it was designed, but instead of sending legitimate actions, it can be used to deploy malware, says Michael Bargury, the cofounder and CTO of security firm Zenity, which is behind the work.
“My research showed that you can very easily, as an attacker, take advantage of all of this infrastructure to do exactly what it is supposed to do,” Bargury says. “You [then] use it to run your own payloads instead of the enterprise payloads.” The researcher documented his work at the DefCon hacker conference last month and has since released the code.
The attack is based on Microsoft’s Power Automate, an automation tool that was built into Windows 11. Power Automate uses a form of robotic process automation, also known as RPA, in which a computer mimics a human’s actions to complete tasks. If you want to get a notification each time an RSS feed is updated, you can build a custom RPA process to make that happen. Thousands of these automations exist, and Microsoft’s software can link up Outlook, Teams, Dropbox, and other apps.
The software is part of a broader low-code/no-code movement that aims to create tools people can use to create things without having any coding knowledge. “Every business user now has the power that the developer used to have,” Bargury says. His company exists to help secure low-code/no-code apps.